Marc,
Some of this is by design.
In the Pix traffic "Flows" from interfaces of a higher security level to
ones of a lower level as long as there is not a rule to deny it
(Outbound/apply or ACL). For example a simple, but nt recommended, solution
is to add conduit ICMP permit any any. This will alow Ping in all
directions. This is OK for testing but should not be used on a production
unit. For the DNS you may try,
Access-list DNS Permit UDP host <DMZHostIP> <DNSServerIP> eq 53
Access-list DNS Permit TCP host <DMZHostIP> <DNSServerIP> eq 53 (For Zone
transfers and very Large querries)
access-list acl_ID [deny | permit] protocol {source_addr | local_addr}
{source_mask | local_mask} operator port {destination_addr | remote_addr}
{destination_mask | remote_mask} operator port
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/a.h
tm#xtocid5 (Watch Wrap)And then access-group DNS in interface Inside (Assuming your DNS Server is on your internal network) access-group acl_ID in interface interface_name This should permit only DNS to the inside, you will obviously need to make rules for other traffic. As far as the Pix not accepting inbound communication that is weird, I haven't experienced this before. You didn't mention your version, it may be time to upgrade. 6.1(1) has been stable in my experience. HTH Ken -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mark Campbell Sent: Friday, February 01, 2002 6:15 AM To: 'Marc Sahr'; [EMAIL PROTECTED] Subject: RE: SQL and web across the PIX Check your logs for any info as to why this would be happening, also check the security level and NAT statement on your interfaces. I have a similar thing that I have been battling with. I use a Pix 525 with 6.1 IOS. My one mail server is on an interface with security level 20 and my Unix DNS server in on another interface with security level 25. My PIX denies all connection from the MX server to the DNS server, because of the security levels even though I have no access lists on those interfaces blocking access between the two. When I ping from the MX to DNS the PIX blocks it, when I ping from the DNS to MX it replies and the PIX builds a connection and I can access the DNS server from the MX server. Very annoing at the best of times...but it works. I also have a problem with a web server behind the PIX, I allow access to port 80 from the outside. The server only gets accessed once in a while so after period( havent figured out exact idle time) the PIX blocks any connection to the server(even it is HTTP traffic). It only works again if I ping from the server to the outside. For the life of me I cant get any documentation or help with this problem... Hope this helps you... Regards, Mark Campbell Network Engineer Siemens Business Services Tel - +27 11 380 4760 Fax - +27 11 380 4710 Cell - +27 83 326 9321 Email - [EMAIL PROTECTED] -----Original Message----- From: Marc Sahr [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 29, 2002 5:48 PM To: [EMAIL PROTECTED] Subject: SQL and web across the PIX 2nd go-round of this problem: I still can't get my web server and my SQL server to communicate successfully (ie login to the SQL database application from the browser window) through the PIX. To reiterate the scenario: My MS IIS 5 web server is located on the DMZ, my SQL 2000 server is located on the inside interface, and the clients are on the outside interface. All servers and clients are W2K/SP2. All servers are latest service pack for their respective platforms. Clients can see the website as a static-translated IP address through the PIX. They can't log on to the SQL application (error message is MS-speak for "can't find database"). All ports are allowed access through ACLs on the PIX bidirectionally through the PIX. Remember this is a test envionment so that's OK. All protocols are allowed access as above. All hosts can ping each other, their interfaces, etc. ICMP is allowed in the config. So, I ask again: Any ideas? TIA, Marc Sahr Network Administrator [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
